Data Breaches and Identity Theft

This paper presents a monetary-theoretic model to study the implications of networks' collection of personal identifying data and data security on each other's incidence and costs of identity theft. To facilitate trade, agents join clubs (networks) that compile and secure data. Too much data collection and too little security arise in equilibrium with noncooperative networks compared with the efficient allocation. A number of potential remedies are analyzed: mandated limits on the amount of data collected, mandated security levels, reallocations of data-breach costs, and data sharing through a merger of the networks.

The authors thank participants at the Chicago Fed Workshop on Money, Banking, and Payments for helpful comments. The views expressed here are the authors' and not necessarily those of the Federal Reserve Bank of Atlanta or the Federal Reserve System. Any remaining errors are the authors' responsibility.